Project

General

Profile

Actions
Copy link

Bug #4463

closed

osmo-pcu crash after re-enabling MS RA capabilities parsing from SGSN messages

Added by pespin about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
pespin
Target version:
-
Start date:
03/20/2020
Due date:
% Done:

100%

Spec Reference:

Description

Today I was running a network setup with osmo-pcu on my laptop with 2 mobiles phones registering, and osmo-pcu crashed.

It seems related to the RA Cap messages we enabled recently comin from osmo-sgsn in osmo-pcu.

<000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:321 NSVCI=65534 Creating NS-VC with Signal weight 1, Data weight 1
20200320204116517 DLGLOBAL <000e> /home/pespin/dev/sysmocom/git/libosmocore/src/vty/telnet_interface.c:104 Available via telnet 127.0.0.1 4240
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:211 Opening OsmoPCU L1 interface to OsmoBTS
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:229 osmo-bts PCU socket /tmp/pcu_bts has been connected
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:136 Sending 0.8.0.81-570f TXT as PCU_VERSION to BTS
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:501 BTS available
20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2070 Listening for nsip packets from 192.168.30.1:23000 on 0.0.0.0:23020
20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2094 NS UDP socket at 0.0.0.0:23020
20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:321 NSVCI=1800 Creating NS-VC with Signal weight 1, Data weight 1
20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2113 NSEI=1800 RESET procedure based on API request
20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:559 NSEI=1800 Tx NS RESET (NSVCI=1800, cause=O&M intervention)
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:148 Sending activate request: trx=0 ts=6
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:627 PDCH: trx=0 ts=6
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:148 Sending activate request: trx=0 ts=7
20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:627 PDCH: trx=0 ts=7
20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1354 NSVCI=1800 Rx NS RESET ACK (NSEI=1800, NSVCI=1800)
20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:704 NSEI=1800 Tx NS UNBLOCK (NSVCI=1800)
20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1806 NSEI=1800 Rx NS UNBLOCK ACK
20200320204116518 DPCU <000d> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:576 NS-VC 1800 is unblocked.
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:857 Sending reset on BVCI 0
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=0) Tx BVC-RESET CAUSE=O&M intervention
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:323 Rx BSSGP BVCI=0 (SIGN) BVC_RESET_ACK
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:865 Sending reset on BVCI 1800
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=1800) Tx BVC-RESET CAUSE=O&M intervention
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:323 Rx BSSGP BVCI=0 (SIGN) BVC_RESET_ACK
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:874 Sending unblock on BVCI 1800
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:281 BSSGP (BVCI=1800) Tx BVC-UNBLOCK
20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:337 Rx BSSGP BVCI=0 (SIGN) BVC_UNBLOCK_ACK
20200320204531628 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:442 RACH request received: sapi=1 qta=-1, ra=118, fn=1307419, cur_fn=1307423, is_11bit=0
20200320204532025 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5026 csnStreamDecoder (type=5):
20200320204532025 DRLCMAC <0002> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pdch.cpp:609 MS supports EGPRS multislot class 12.
20200320204532025 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:992 Allocating UL TBF: MS_CLASS=12/12
20200320204532026 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:541 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Setting Control TS 6
20200320204532026 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:948 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 00
20200320204532048 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1374 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=ASSIGN) start Packet Uplink Assignment (PACCH)
20200320204532048 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5185 csnStreamDecoder (type=10):
20200320204532048 DTBFDL <0009> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:782 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=ASSIGN) Scheduled UL Assignment polling on PACCH (FN=1307553, TS=7)
20200320204532264 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5026 csnStreamDecoder (type=1):
20200320204532264 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:544 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=FLOW) Changing Control TS 6
20200320204532481 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:404 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=FLOW) len=52
20200320204532482 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5792 csnStreamDecoder (RAcap):
20200320204532482 DRLCMACDATA <0003> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5800 Got 7 remaining bits unhandled by decoder at the end of bitvec
20200320204532482 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:163 LLC [SGSN -> PCU] = TLLI: 0x8faaadbd IMSI: 000 len: 9
20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1071 Allocating DL TBF: MS_CLASS=12/12
20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:541 TBF(TFI=0 TLLI=0x00000000 DIR=DL STATE=NULL) Setting Control TS 6
20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:948 TBF(TFI=0 TLLI=0x8faaadbd DIR=DL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 40
20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:898 TBF(TFI=0 TLLI=0x8faaadbd DIR=DL STATE=ASSIGN) TX: START Immediate Assignment Downlink (PCH)
*** stack smashing detected ***: terminated

Program received signal SIGABRT, Aborted.
0x00007ffff77b7ce5 in raise () from /usr/lib/libc.so.6

(gdb) bt
#0  0x00007ffff77b7ce5 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff77a1857 in abort () from /usr/lib/libc.so.6
#2  0x00007ffff77fb2b0 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007ffff788b06a in __fortify_fail () from /usr/lib/libc.so.6
#4  0x00007ffff788b034 in __stack_chk_fail () from /usr/lib/libc.so.6
#5  0x0000555555581e4f in gprs_bssgp_pcu_rx_dl_ud (msg=0x55555572fce0,
    tp=0x7fffffffbc80)
    at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:167
#6  0x0000555500000000 in ?? ()
#7  0x00007ffff7f6cf40 in ?? ()
   from /home/pespin/dev/sysmocom/build/new/out/lib/libosmogsm.so.13
#8  0x000055555572e6d0 in ?? ()
#9  0x00007fffffffbc80 in ?? ()
#10 0x000055555572fce0 in ?? ()
#11 0x00000000ffffbc30 in ?? ()
#12 0x0000070800000000 in ?? ()
#13 0x000055555572fd80 in ?? ()
#14 0x460dab82121f6200 in ?? ()
#15 0x000055555565d380 in ?? ()
#16 0x00005555556aced0 in ?? ()
#17 0x00007fffffffcca0 in ?? ()
#18 0x000055555558303c in gprs_bssgp_pcu_rcvmsg (
    msg=<error reading variable: Cannot access memory at address 0xabd8>)
--Type <RET> for more, q to quit, c to continue without paging--
    at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:465
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

(gdb) l
173                     quit = 1;
174                     break;
175             case SIGABRT:
176                     /* in case of abort, we want to obtain a talloc report
177                      * and then return to the caller, who will abort the process
178                      */
179             case SIGUSR1:
180             case SIGUSR2:
181                     talloc_report_full(tall_pcu_ctx, stderr);
182                     break;
(gdb) frame 5
#5  0x0000555555581e4f in gprs_bssgp_pcu_rx_dl_ud (msg=0x55555572fce0,
    tp=0x7fffffffbc80)
    at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:167
167     }
(gdb) l
162
163             LOGP(DBSSGP, LOGL_INFO, "LLC [SGSN -> PCU] = TLLI: 0x%08x IMSI: %s len: %d\n", tlli, imsi, len);
164
165             return gprs_rlcmac_dl_tbf::handle(the_pcu.bts, tlli, tlli_old, imsi,
166                             ms_class, egprs_ms_class, delay_csec, data, len);
167     }
168
169     static int gprs_bssgp_pcu_rx_paging_cs(struct msgb *msg, struct tlv_parsed *tp)
170     {
171             const uint8_t *mi;

Files

crashing_packets.pcapng crashing_packets.pcapng 1000 Bytes pespin, 03/20/2020 07:59 PM
Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)